apt37-scarcruft

APT37 / ScarCruft

also known as: Reaper InkySquid Group123 Ricochet Chollima Ruby Sleet Velvet Chollima TA-RedAnt RedEyes G0067

North Korea's primary espionage unit focused on South Korean domestic targets — government, academia, think tanks, North Korea-focused journalists, and defectors. ScarCruft's intelligence collection feeds directly into Pyongyang's decision-making on South Korean politics, defector networks, and international perceptions of the regime. Highly active through 2025, with campaigns targeting national intelligence researchers, former government officials, and cybersecurity professionals. In December 2025, the group introduced air-gap bridging capability via USB — the Ruby Jumper campaign — representing a significant escalation in reach toward isolated high-security systems.

attributed origin North Korea — RGB (Reconnaissance General Bureau)

active since At least 2012 (publicly documented from 2016)

primary mission Intelligence collection on South Korean domestic targets

signature targets Defectors, journalists, NK-focused academics, think tanks

latest campaign Ruby Jumper — USB air-gap bridging (December 2025)

zero-day history IE/Edge zero-days: CVE-2024-38178, CVE-2022-41128, CVE-2020-1380

c2 style Cloud services: Dropbox, Google Drive, Yandex, Zoho WorkDrive

mobile capability KoSpy Android spyware (2022–2024, Google Play)

mitre group G0067

Overview

APT37 / ScarCruft is North Korea's primary domestic intelligence collection apparatus in cyberspace — a unit assessed to operate under the Reconnaissance General Bureau (RGB) with a mission that is narrower and more focused than North Korea's other hacking groups. Where Lazarus Group pursues financial theft and Kimsuky conducts broad geopolitical intelligence gathering, ScarCruft's core mandate is surveillance of the South Korean population and anyone engaged with North Korean affairs: government officials, academics studying the regime, journalists covering the DPRK, human rights workers supporting defectors, and the defector community itself.

This targeting reflects a specific Pyongyang intelligence priority: understanding how South Korean society perceives the regime, tracking defectors who may be sources for foreign intelligence services or media, and monitoring the individuals and organizations that shape South Korean and international policy on North Korea. A journalist who interviews defectors, an academic whose research informs ROK government positions on reunification, a think tank analyst whose publications feed into US policy — these are all primary ScarCruft targets. SentinelLabs captured the group's purpose precisely in 2023: ScarCruft's operations are designed to "gather strategic intelligence that can contribute to North Korea's decision-making processes" and to help the group "gain a better understanding of how the international community perceives developments in North Korea."

The group has been active since at least 2012 and has remained continuously operational through 2025, documented in multiple campaigns as recently as September 2025 (Operation HanKook Phantom targeting National Intelligence Research Association members) and December 2025 (Ruby Jumper, which introduced USB-based air-gap bridging). This longevity reflects an organization that is consistently resourced, consistently tasked, and has built a sophisticated operational cadence that generates actionable intelligence for the regime on an ongoing basis.

ScarCruft's distinctive technical signature is its consistent abuse of legitimate cloud services for command and control — routing C2 traffic through Dropbox, Google Drive, OneDrive, pCloud, Yandex Cloud, and most recently Zoho WorkDrive. This approach makes network-level detection of ScarCruft activity extremely difficult in enterprise environments where these services are regularly used for legitimate purposes. The group combines this cloud C2 infrastructure with a consistent pattern of IE/Edge scripting engine zero-days — exploiting the legacy Internet Explorer rendering engine embedded in applications and older Edge configurations — giving it reliable initial access against South Korean targets who use software that still incorporates IE-based rendering components.

north korean actor distinctions

North Korea operates multiple distinct hacking units with different mandates. ScarCruft (APT37) focuses on South Korean domestic intelligence — defectors, journalists, academics, government. Kimsuky (APT43) conducts broader geopolitical intelligence, including targeting foreign policy organizations in the US and Europe. Lazarus Group focuses primarily on financial theft and sanctions evasion. ScarCruft is sometimes confused with Kimsuky due to target overlap and occasional shared infrastructure, but they are distinct operational clusters with different primary missions. Both have been documented targeting the same victims in some instances, suggesting coordination within the RGB intelligence apparatus rather than competition.

The Intelligence Mission: Why Defectors and Journalists

Understanding ScarCruft requires understanding what Pyongyang actually wants from it — and why the targets it consistently pursues are strategically valuable to the North Korean state.

Defector Surveillance: North Korean defectors — particularly those who have become public figures, policy advocates, or sources for journalists and intelligence services — represent a direct threat to the regime in multiple ways. They provide testimony about conditions inside North Korea, they often maintain contact networks with family members still in the DPRK, and some become sources for South Korean and US intelligence. ScarCruft's surveillance of defectors and the NGOs supporting them provides Pyongyang with visibility into who these individuals are in contact with, what information they are sharing, and potentially how to identify their family members inside North Korea for leverage or punishment. A compromised defector advocacy organization's email server gives the regime a complete map of its defector network.
Journalists and Media Organizations: North Korea-focused journalists and the outlets they work for are persistently targeted. The intelligence value is twofold: understanding what information journalists have obtained before it is published (allowing the regime to prepare countermeasures or dismiss it as fabricated), and identifying the sources those journalists are using — which may include current or former North Korean officials, defectors, or ROK government contacts. ScarCruft's documented targeting of Daily NK (a South Korean online news outlet focused on North Korean affairs) and academic media organizations reflects this priority.
Academics and Think Tank Researchers: South Korean and foreign academics who study North Korea — their policy positions, their research methodologies, their data sources, and their networks of contacts — feed directly into ROK government and US policy. A think tank analyst whose research informs South Korean or American positions on negotiations, sanctions, or military posture is a valuable intelligence target. ScarCruft specifically targeted individuals associated with national intelligence research associations — organizations whose work directly informs government decision-making.
Cybersecurity Professionals: A more recently documented targeting category: ScarCruft has been observed using threat research reports as decoy documents in spear-phishing attacks against cybersecurity professionals. SentinelLabs noted in 2023 that ScarCruft's "focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies" — specifically, to understand what the cybersecurity industry knows about ScarCruft's own operations, and to identify detection methods that would allow the group to update its tradecraft before those methods are widely deployed.

Zero-Day Exploitation Pattern: IE as a Persistent Attack Surface

ScarCruft has maintained an unusual and consistent focus on Internet Explorer zero-day vulnerabilities across multiple years — a targeting choice that at first appears anachronistic given Microsoft's formal retirement of IE, but that reflects a specific understanding of the South Korean software ecosystem.

Why IE After Retirement: Internet Explorer was officially retired by Microsoft in June 2022, but its rendering engine (Trident/MSHTML) and its successor JavaScript engine (JScript9, used in Edge's IE Mode) remain embedded in a significant number of applications — particularly commercial and government software common in South Korea. Applications that use WebView components, legacy enterprise software with IE-based rendering, and Edge running in IE compatibility mode all provide attack surfaces for exploits targeting the IE scripting engine. ScarCruft consistently identifies and exploits vulnerabilities in these components because the targets it pursues in the South Korean government, academic, and media sectors are likely users of affected software configurations.
CVE-2022-41128 (JScript9 Type Confusion): Discovered by Google TAG in late October 2022. A type confusion vulnerability in the JScript9 engine — the same engine used in Internet Explorer — exploited by ScarCruft via malicious Microsoft Office documents that fetched remote RTF templates, which in turn loaded HTML content rendered by Internet Explorer. The malicious document used the Itaewon Halloween crowd crush (October 29, 2022) as a lure. Google reported the vulnerability to Microsoft on October 31 and patches were released November 8, 2022 — a nine-day window during which ScarCruft exploited the zero-day against South Korean targets.
CVE-2024-38178 — Operation Code on Toast (May 2024): A memory corruption bug in the Windows Scripting Engine affecting Edge in Internet Explorer Mode. ScarCruft delivered this zero-day through a novel vector: compromised "toast" notification advertisement programs — free software widely installed among the South Korean public that displays pop-up notifications and uses IE-based rendering for ad content. Users who had these legitimate advertisement applications installed were silently exploited simply by having the application run — a zero-click or near-zero-click exploitation mechanism that required no user interaction beyond having the vulnerable software running. AhnLab and South Korea's National Cyber Security Center discovered and reported the campaign; Microsoft patched it in August 2024.

Ruby Jumper: Air-Gap Bridging (December 2025)

The Ruby Jumper campaign, discovered by Zscaler ThreatLabz in December 2025, represents the most significant capability escalation in ScarCruft's documented history. It introduced a complete air-gap bridging toolkit — a set of malware components specifically designed to move commands and data between internet-connected systems and physically isolated systems that have no network connectivity.

Air-gapped systems are the highest-security tier in any sensitive organization. Military systems, intelligence agency networks, classified government databases, and sensitive research environments may be physically isolated from the internet — no Wi-Fi, no Ethernet, no network connections of any kind — relying entirely on removable media for any data transfer. The assumption is that network-level attacks cannot reach these systems. Ruby Jumper is designed to defeat that assumption.

Infection Chain: The attack begins with a malicious Windows shortcut (LNK) file — consistent with ScarCruft's long-established LNK delivery preference. When opened, the LNK silently launches PowerShell which carves multiple embedded payloads from fixed offsets within the shortcut file itself. The December 2025 campaign used an Arabic-language decoy document about the Israel-Palestine conflict translated from North Korean media — indicating targeting of individuals monitoring North Korean media narratives, possibly in Middle Eastern or international policy contexts.
RESTLEAF — First-Stage Implant: A Windows implant that communicates with operators via Zoho WorkDrive — the first documented case of ScarCruft abusing Zoho's cloud platform for C2. RESTLEAF uses hardcoded OAuth tokens to authenticate to Zoho WorkDrive and downloads shellcode from a folder named "Second." It signals active infection to operators by dropping timestamped "lion [timestamp]" beacon files in the Zoho WorkDrive folder. The shellcode is injected into memory via process injection, leaving minimal on-disk artifacts.
SNAKEDROPPER — Ruby Runtime Installer: A second-stage component that installs a complete, self-contained Ruby 3.3.0 runtime in the ProgramData directory — renaming the Ruby interpreter executable from rubyw.exe to usbspeed.exe to appear as a USB utility and evade process-based detection. SNAKEDROPPER replaces a standard Ruby file with malicious code and creates a scheduled task named "rubyupdatecheck" for automatic execution. All payloads are encrypted with a one-byte XOR routine and executed reflectively in memory.
THUMBSBD / VIRUSTASK — Air-Gap Bridge Components: The operationally critical components. VIRUSTASK targets removable drives: it hides the legitimate files on any inserted USB drive and replaces them with malicious shortcuts. When a victim using an air-gapped system inserts a USB drive and clicks on what appears to be their files, the disguised Ruby interpreter executes embedded shellcode, infecting the air-gapped host. THUMBSBD manages the command relay between the internet-connected and air-gapped systems — using the USB drive as a bidirectional channel for commands and exfiltrated data. A command staged in Zoho WorkDrive on the internet-connected system can be relayed via USB to the air-gapped system, and data exfiltrated from the air-gapped host can be carried back via USB for upload.
FOOTWINE — Surveillance Backdoor: The final payload on both internet-connected and air-gapped systems, disguised as foot.apk (an Android package file). FOOTWINE supports keylogging, screenshot capture, audio recording, webcam monitoring, file manipulation, registry access, and remote shell execution. C2 communication uses a custom XOR-based key exchange protocol over TCP to 144.172.106[.]66:8080. The disguise as an APK file — a format that Windows security tools may not scan as aggressively as native PE executables — provides additional evasion.
BLUELIGHT: The previously documented ScarCruft backdoor is also deployed in the Ruby Jumper chain. BLUELIGHT uses multiple legitimate cloud storage providers — Google Drive, Microsoft OneDrive, pCloud, and Backblaze — for C2 operations. It supports arbitrary command execution, file system enumeration, payload download, file upload, and self-removal to reduce forensic artifacts.

Target Profile

North Korean Defectors and Defector Support Organizations: The highest-priority consistent target category. Defectors who have become public figures, media sources, or NGO participants, along with the organizations supporting them, provide Pyongyang with visibility into the defector community and the information networks surrounding it.
South Korean Academic Researchers: Academics at South Korean universities studying North Korean affairs, national security, intelligence policy, and Korean unification. Documented campaigns targeted the National Intelligence Research Association and individuals associated with national security research communities. Operation HanKook Phantom (September 2025) specifically targeted individuals associated with South Korean national intelligence research.
North Korea-Focused News Organizations: South Korean and international media outlets covering North Korea — including the documented targeting of Daily NK (a South Korean outlet with inside sources from the DPRK). December 2023 campaigns targeted a North Korea-focused news organization alongside academic experts, according to SentinelLabs.
South Korean Government and Military: Government officials, military personnel, and entities connected to South Korean national security are targeted alongside civilian targets. Operation Daybreak (2016) targeted South Korean government and military organizations.
Cybersecurity and Threat Intelligence Professionals: An increasingly prominent targeting category. ScarCruft has used threat research reports as decoy documents — including a fake report on Kimsuky — to target cybersecurity professionals. The intelligence value is understanding non-public detection methods and threat intelligence that could compromise ScarCruft's own operations.
International Targets with DPRK Exposure: Beyond South Korea, ScarCruft has targeted organizations in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and Middle Eastern nations — anywhere that has strategic relevance to North Korean interests. The Ruby Jumper campaign's Arabic-language decoy suggests targeting in Middle Eastern contexts. The NPO Mash breach (2021) targeted a Russian missile technology research firm.
Korean-Speaking Android Users — KoSpy: The KoSpy Android spyware campaign (2022–2024) targeted Korean and English-speaking users via fake utility apps on the Google Play Store — including apps masquerading as a "File Manager," "Software Update Utility," and "Kakao Security." KoSpy collected SMS messages, call logs, GPS location, device files, audio recordings, and screenshots via dynamically loaded plugins.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.001	Spear-Phishing — Geopolitical Lures	ScarCruft's primary initial access technique. Spear-phishing emails are precisely targeted to the recipient's known interests — a researcher receiving a document about North Korean troop deployments to Russia, a national security academic receiving what appears to be a conference invitation, a cybersecurity professional receiving a report on Kimsuky. The high relevance of lures to target interests increases open rates and reduces suspicion. Delivery vehicles include LNK files (the current preferred format), HWP (Hangul Word Processor) documents for South Korean government targets, malicious Office documents fetching remote templates, and oversized LNK files embedding full RokRAT payloads. Recent campaigns used Kim Yo Jong statements and national intelligence newsletter themes as lures.
T1189	Drive-by Compromise — Strategic Web Compromises	ScarCruft compromises websites specifically visited by its target populations — South Korean online news outlets covering North Korea, community forums for defectors, and industry portals. The Daily NK watering-hole attack (2021) exploited CVE-2020-1380 and CVE-2021-26411 via injected JavaScript, delivering Cobalt Strike and BLUELIGHT to readers of the outlet. The Operation Code on Toast vector (2024) extended this approach to compromised advertisement server infrastructure, delivering CVE-2024-38178 exploitation to users of widely-installed free software that displays toast notifications using IE-based rendering.
T1189 / T1203	IE/Edge Zero-Day Exploitation — Scripting Engine	ScarCruft maintains a consistent focus on Internet Explorer and Edge scripting engine vulnerabilities — a pattern documented across CVE-2020-1380, CVE-2021-26411, CVE-2022-41128, and CVE-2024-38178. The exploitation targets the JScript9 or Scripting Engine components embedded in applications that use IE-based rendering, including legacy enterprise software, document viewers, and advertisement programs common in the South Korean market. The Operation Code on Toast (2024) delivery via toast ad software was notable as a near-zero-click mechanism — users with vulnerable advertisement software installed were exposed without clicking any phishing link.
T1102	Web Service — Cloud C2 Infrastructure	ScarCruft's most distinctive evasion technique: routing all C2 communication through legitimate, widely-used cloud services. RokRAT uses Dropbox, Google Cloud, pCloud, and Yandex Cloud. BLUELIGHT uses Google Drive, Microsoft OneDrive, pCloud, and Backblaze. RESTLEAF (Ruby Jumper) uses Zoho WorkDrive. This approach makes network-level detection extremely difficult in enterprise environments where these services are in routine use — C2 traffic is indistinguishable from legitimate cloud storage synchronization. Blocking these services entirely as a defensive measure would disrupt legitimate business operations. Detection requires endpoint-based process monitoring to identify which processes are generating the cloud storage connections, rather than connection destination monitoring.
T1091	Replication Through Removable Media — Ruby Jumper Air-Gap Bridge	The December 2025 Ruby Jumper campaign introduced a complete USB-based air-gap bridging toolkit. VIRUSTASK infects USB drives by hiding legitimate files and replacing them with malicious shortcuts. When an air-gapped system user inserts the infected USB drive and opens what appears to be their files, the disguised Ruby interpreter delivers shellcode to the isolated system. THUMBSBD manages bidirectional command-and-data relay between internet-connected and air-gapped hosts via the USB drive as a physical channel. This tradecraft is directly targeted at environments where network isolation is the assumed primary security control.
T1027	Obfuscated Files — Steganography and Encoding	ScarCruft uses steganography to embed malicious code or C2 configuration data within seemingly benign image files. The group also employs PowerShell-based fileless execution, one-byte XOR encryption of payloads for in-memory decryption, and reflective loading — executing payloads directly in memory without writing executable files to disk. Ruby Jumper's use of one-byte XOR with in-memory execution across all payload stages reduces the forensic artifact surface available for detection. The disguise of FOOTWINE as an APK file further evades file-type-based security controls.
T1547.001	Boot/Logon Autostart — Scheduled Tasks	Persistence via scheduled tasks is ScarCruft's documented persistence mechanism in recent campaigns. Ruby Jumper specifically creates a scheduled task named "rubyupdatecheck" for automatic execution of the Ruby-based malware chain. Earlier campaigns used Windows Registry run keys and service creation for persistence. The scheduled task approach is consistent with the group's preference for blending malicious activity with legitimate system maintenance patterns — a task named "rubyupdatecheck" is superficially plausible as a legitimate software maintenance task.

Known Campaigns

Operation Code on Toast — CVE-2024-38178 Zero-Day May 2024

ScarCruft exploited a zero-day memory corruption vulnerability (CVE-2024-38178, CVSS 7.5) in the Windows Scripting Engine — specifically targeting the IE scripting engine in Edge's Internet Explorer Mode — via a novel delivery mechanism: compromised "toast" advertisement programs. Free South Korean advertisement applications that display popup notifications used IE-based rendering components. ScarCruft compromised the advertisement delivery server infrastructure, injecting exploit code that silently executed RokRAT on any system running the vulnerable advertisement software when an ad was displayed — requiring no phishing click from the user. AhnLab and South Korea's National Cyber Security Center (NCSC) discovered and reported the campaign, designating the cluster TA-RedAnt. Microsoft patched CVE-2024-38178 in August 2024.

Operation HanKook Phantom — National Intelligence Researchers 2025

Seqrite Labs documented a ScarCruft campaign targeting individuals associated with South Korea's National Intelligence Research Association — a research group focused on national intelligence, labor relations, security, and energy issues. The attack used a spear-phishing email with a lure themed around the National Intelligence Research Society Newsletter (Issue 52). The LNK file initiated a PowerShell chain leading to RokRAT deployment. A second concurrent campaign used a Kim Yo Jong statement as a lure document — deploying a dropper that exfiltrated data while disguising network traffic as a Chrome file upload. The targeting of national intelligence research community members reflects the group's sustained focus on organizations that directly inform South Korean government security policy.

North Korean Troop Deployment Lure Campaign May 2025

South Korean cybersecurity firm Genians documented APT37 targeting South Korean national security organizations with spear-phishing emails containing Dropbox links. One email offered information on North Korean troop deployments to Russia — a high-interest topic for South Korean national security analysts — while another posed as a national security conference invitation. Multiple Yandex email accounts were used in the campaign. The lures reflect ScarCruft's consistent approach of using high-relevance current events to target specific communities of interest, with Dropbox links as a recurring delivery mechanism for RokRAT.

NK Affairs Academic and Media Targeting November – December 2023

SentinelLabs documented ScarCruft targeting South Korean academic experts on North Korean affairs and a North Korea-focused news organization in November and December 2023. The goal was explicitly to "gain a better understanding of how the international community perceives developments in North Korea." A campaign in December used a decoy document disguised as a research report on Kimsuky — targeting cybersecurity professionals and threat researchers to gather non-public intelligence about detection capabilities. The use of Kimsuky as a decoy theme is operationally significant: it suggests ScarCruft is specifically trying to understand how it and related North Korean hacking groups are being tracked.

Ruby Jumper — USB Air-Gap Bridging December 2025

Zscaler ThreatLabz discovered the Ruby Jumper campaign in December 2025 — the most technically ambitious APT37 operation in the group's documented history. The campaign introduced five new malware tools (RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE) alongside the established BLUELIGHT backdoor. The attack chain began with a malicious LNK file with an Arabic-language decoy about Israel-Palestine coverage translated from North Korean media, suggesting targeting of individuals interested in how the DPRK frames the conflict. RESTLEAF communicated via Zoho WorkDrive. SNAKEDROPPER deployed a self-contained Ruby 3.3.0 runtime disguised as a USB utility. VIRUSTASK infected removable drives to carry the infection to air-gapped systems. THUMBSBD managed bidirectional command and data relay via USB. FOOTWINE provided full surveillance capability on both connected and isolated hosts. The capability to bridge air-gapped systems via USB puts ScarCruft on a comparable technical level to Stuxnet-era tradecraft for reaching isolated networks.

KoSpy — Android Surveillance via Google Play March 2022 – March 2024

Lookout Threat Lab discovered KoSpy, an Android spyware attributed to APT37 with medium confidence, distributed via the Google Play Store and third-party app stores including APKPure. KoSpy masqueraded as utility applications — "File Manager," "Software Update Utility," and "Kakao Security" (impersonating the widely-used South Korean messaging app's security product). The spyware used a two-stage C2 infrastructure with initial configurations retrieved from Google Firebase Firestore. Capabilities included SMS collection, call log access, GPS location tracking, file system access, audio recording, and screenshot capture via dynamically loaded plugins. All identified apps were removed from Google Play by Google after Lookout's disclosure in 2025, and associated Firebase projects were deactivated.

Tools & Malware

RokRAT: ScarCruft's signature long-running backdoor, deployed consistently since at least 2017. RokRAT provides remote access, system information collection, arbitrary command execution, file system enumeration, screenshot capture every three minutes, keystroke logging, and clipboard monitoring. C2 exclusively via legitimate cloud services: Dropbox, Google Cloud, pCloud, and Yandex Cloud. Configured to use Yandex Cloud by default with fallback to other providers. The cloud C2 approach makes RokRAT traffic blend with regular enterprise traffic patterns. Delivered via LNK files, HWP exploits, Office documents, and zero-day exploitation depending on campaign.
BLUELIGHT: A full-featured backdoor using Microsoft Graph API / OneDrive, Google Drive, pCloud, and Backblaze for C2. Capabilities include arbitrary command execution, file system enumeration, additional payload download, file upload, and self-removal to reduce forensic evidence. First documented in a watering-hole attack on Daily NK. Reused in the Ruby Jumper campaign alongside the new toolkit. The multi-cloud C2 flexibility means disabling one cloud provider does not interrupt C2 access.
Dolphin: A more capable backdoor documented by ESET in 2022, providing extensive surveillance: drive monitoring, file exfiltration, keylogging, screenshot capture, and browser credential theft from Chrome, Edge, and Internet Explorer. Deployed against specific high-value targets after initial access is established with lower-tier tools.
Chinotto: A PowerShell-based backdoor used for reconnaissance and second-stage payload download. Delivered via CHM files, malicious LNK files, and other document-based vectors. Used consistently across multiple campaign years as a lightweight first-stage reconnaissance tool.
GOLDBACKDOOR: A cloud-connected backdoor using Microsoft OneDrive for C2, documented in 2022 campaigns targeting North Korean affairs journalists and political activists.
RESTLEAF / SNAKEDROPPER / THUMBSBD / VIRUSTASK / FOOTWINE: The five new components introduced in the December 2025 Ruby Jumper campaign. RESTLEAF (Zoho WorkDrive C2 first-stage), SNAKEDROPPER (Ruby runtime installer and persistence), THUMBSBD and VIRUSTASK (USB air-gap bridge components), and FOOTWINE (full surveillance backdoor with keylogging, audio/video capture, remote shell). See the Ruby Jumper section above for complete technical details.
KoSpy: Android spyware distributed via Google Play and third-party stores. SMS, calls, location, files, audio, screenshots. Firebase Firestore for initial C2 configuration. Korean and English language support. Active 2022–2024.
BabyShark: A Visual Basic Script-based malware family used in campaigns targeting US policy think tanks in 2021. Primarily a reconnaissance and data exfiltration tool for the early stages of an intrusion.

Indicators of Compromise

IOCs from AhnLab/NCSC Operation Code on Toast analysis, SentinelLabs 2023 ScarCruft research, Seqrite Operation HanKook Phantom, Zscaler ThreatLabz Ruby Jumper analysis (December 2025), and Lookout KoSpy disclosure. Full IOC sets are in each source advisory linked in the Sources section.

behavioral and technical indicators

process rubyw.exe / usbspeed.exe in %PROGRAMDATA% — Ruby Jumper SNAKEDROPPER disguises Ruby interpreter as USB utility; Ruby interpreter outside of development environments on production endpoints warrants investigation

scheduled task Task named "rubyupdatecheck" — Ruby Jumper persistence mechanism; audit all newly created scheduled tasks for unexpected names mimicking legitimate update patterns

c2 / network 144.172.106[.]66:8080 — FOOTWINE C2 server (Ruby Jumper, December 2025); outbound TCP to this IP from endpoints is a high-confidence ScarCruft indicator

file pattern foot.apk present on Windows systems — FOOTWINE backdoor disguised as Android package file; APK files on Windows production hosts (not developer systems) are anomalous

cloud c2 Zoho WorkDrive / Dropbox / pCloud connections from non-browser, non-productivity processes — RokRAT and RESTLEAF C2 channels; monitor which processes generate cloud storage API connections, not just connection destinations

usb behavior Files hidden on USB drives replaced by LNK shortcuts — VIRUSTASK propagation pattern; USB drives where original files become hidden and shortcuts appear in their place indicate Ruby Jumper USB infection stage

cve CVE-2024-38178 — unpatched systems with IE Mode enabled in Edge or applications using MSHTML rendering remain vulnerable; verify August 2024 Patch Tuesday has been applied to all endpoints

lnk chain LNK → PowerShell → shellcode injection → cloud C2 — ScarCruft's consistent multi-stage execution pattern; process telemetry showing PowerShell spawned from LNK file execution, followed by outbound cloud API connections, is a high-confidence behavioral indicator

Mitigation & Defense

ScarCruft's consistent targeting of individuals rather than organizations presents a different defensive challenge from network perimeter-focused threats. The targets are people — researchers, journalists, policy professionals — whose job requires them to open documents from external sources, visit specialized websites, and engage with potentially unknown contacts. Defensive strategy must account for this legitimate operational context.

Patch IE Mode and Legacy Rendering — Immediately: ScarCruft has exploited IE/Edge scripting engine zero-days in three consecutive years (2020, 2022, 2024). The August 2024 patch for CVE-2024-38178 must be applied to all Windows endpoints. Organizations should also audit what software in their environment uses IE-based rendering components — including legacy enterprise applications, advertisement software, and utilities with embedded WebView components — and either update those applications or remove them. Disabling IE Mode in Edge via Group Policy is a defensive measure for organizations that do not have legitimate IE compatibility requirements.
Removable Media Controls for Air-Gapped Environments: The Ruby Jumper campaign specifically weaponizes the USB-based data transfer that air-gapped environments rely on. Organizations with air-gapped systems should implement hardware-level USB device controls that restrict which devices can connect, scan all removable media with dedicated security tools before use in isolated environments, and train personnel to recognize the warning sign that VIRUSTASK creates — files hidden and replaced by shortcuts on USB drives. Air-gap protocols should include visual inspection of USB drive contents before use on isolated systems.
Monitor Cloud Storage Process Connections: ScarCruft routes all its C2 through legitimate cloud services. Blocking Dropbox, Google Drive, pCloud, Yandex, and Zoho WorkDrive at the network level is impractical for organizations that use these services. Instead, implement endpoint monitoring that identifies which processes are making API calls to cloud storage providers — a PowerShell script or an unexpected background process connecting to Dropbox is anomalous even if the destination is not blocked. Cloud-based C2 detection requires process lineage monitoring rather than destination-based blocking.
LNK File Awareness and Controls: ScarCruft has consistently used malicious LNK files as its primary delivery vector for multiple years. Implement Group Policy to show file extensions for all file types, making disguised LNK files visible. Apply attack surface reduction rules that block the execution of potentially obfuscated scripts, including those launched from shortcut files. User awareness training for high-risk individuals (researchers, journalists, policy professionals, defector advocates) should specifically address the risks of LNK files received by email or messaging platforms.
High-Risk Individual Security Programs: Journalists, academics, defectors, and advocacy workers who are ScarCruft primary targets require tailored security support beyond standard enterprise controls. Consider providing these individuals with hardened devices or browser isolation solutions for their highest-risk work. Threat intelligence briefings specifically addressing North Korean targeting of their community — the specific lure themes, delivery mechanisms, and warning signs — can significantly reduce successful phishing against individuals whose work requires engaging with external documents and sources.
Audit Scheduled Tasks After Any Security Event: Ruby Jumper persists via a scheduled task named "rubyupdatecheck" — plausibly legitimate, hard to spot in a long list of scheduled tasks. Implement baseline monitoring of scheduled tasks: hash all existing scheduled tasks and alert on any new task creation. Any new scheduled task should be treated as a potential persistence mechanism requiring investigation, especially in high-risk environments.

analyst note

ScarCruft is unusual among the actors profiled here because its targets are primarily individuals rather than organizations — and specifically individuals whose work is inseparable from the information that makes them targets. A journalist who stops talking to North Korean defectors to protect herself from ScarCruft has effectively let the threat actor accomplish its goal without executing a single line of malicious code. This is the genuine tension at the heart of defending against this threat: the human beings ScarCruft wants to surveil are human beings whose professional and humanitarian work requires exactly the communication patterns the group exploits. The December 2025 Ruby Jumper campaign's air-gap bridging capability represents a significant escalation — suggesting ScarCruft is now targeting individuals with access to classified or air-gapped systems, not just open-source researchers and journalists. The combination of zero-day exploitation, sophisticated cloud C2, USB air-gap bridging, and Android mobile surveillance gives this actor a comprehensive capability stack that covers the primary device types and network configurations its target population uses. The progression from targeted espionage against defectors in 2012 to air-gap bridging capability in 2025 describes a unit that has been consistently resourced, consistently tasked, and consistently improving for over a decade.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile